Merge pull request #1472 from crazy-max/ci-attest

ci: opt-in sbom and provenance
2 years ago · fbbe1c1b91
parent 53d88a79ef 1a85745bf1
commit fbbe1c1b91
3 changed files with 61 additions and 21 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -21,6 +21,8 @@ on:
      - 'docs/**'

 env:
+  BUILDX_VERSION: "v0.10.0-rc1"
+  BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc3"
  REPO_SLUG: "docker/buildx-bin"
  DESTDIR: "./bin"

@ -35,7 +37,9 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
      -
        name: Test
        uses: docker/bake-action@v2
@ -92,22 +96,23 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v2
-        with:
-          targets: release
-          set: |
-            *.platform=${{ matrix.platform }}
-            *.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-            *.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
+        run: |
+          make release
+        env:
+          PLATFORMS: ${{ matrix.platform }}
+          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
      -
        name: Upload artifacts
        uses: actions/upload-artifact@v3
        with:
          name: buildx
-          path: ${{ env.DESTDIR }}/release/*
+          path: ${{ env.DESTDIR }}/*
          if-no-files-found: error

  bin-image:
@ -124,7 +129,9 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
      -
        name: Docker meta
        id: meta
@ -156,6 +163,8 @@ jobs:
          set: |
            *.cache-from=type=gha,scope=bin-image
            *.cache-to=type=gha,scope=bin-image,mode=max
+            *.attest=type=sbom
+            *.attest=type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}

  release:
    runs-on: ubuntu-22.04
@ -206,7 +215,7 @@ jobs:
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
          driver-opts: image=moby/buildkit:master
          buildkitd-flags: --debug
      -
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile-upstream:master

 ARG GO_VERSION=1.19
 ARG XX_VERSION=1.1.2
@ -58,6 +58,8 @@ FROM scratch AS binaries-windows
 COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe

 FROM binaries-$TARGETOS AS binaries
+# enable scanning for this stage
+ARG BUILDKIT_SBOM_SCAN_STAGE=true

 # Release
 FROM --platform=$BUILDPLATFORM alpine AS releaser
--- a/hack/release
+++ b/hack/release
@ -2,27 +2,56 @@

 set -eu -o pipefail

+: "${GITHUB_ACTIONS=}"
+: "${GITHUB_REPOSITORY=}"
+: "${GITHUB_RUN_ID=}"
+
 : "${BUILDX_CMD=docker buildx}"
 : "${DESTDIR=./bin/release}"
 : "${CACHE_FROM=}"
 : "${CACHE_TO=}"
+: "${PLATFORMS=}"

 if [ -n "$CACHE_FROM" ]; then
  for cfrom in $CACHE_FROM; do
-    cacheFlags+=(--set "*.cache-from=$cfrom")
+    setFlags+=(--set "*.cache-from=$cfrom")
  done
 fi
 if [ -n "$CACHE_TO" ]; then
  for cto in $CACHE_TO; do
-    cacheFlags+=(--set "*.cache-to=$cto")
+    setFlags+=(--set "*.cache-to=$cto")
  done
 fi
+if [ -n "$PLATFORMS" ]; then
+  setFlags+=(--set "*.platform=$PLATFORMS")
+fi
+if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then
+  prvattrs="mode=max"
+  if [ "$GITHUB_ACTIONS" = "true" ]; then
+    prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+  fi
+  setFlags+=(--set "*.attest=type=sbom")
+  setFlags+=(--set "*.attest=type=provenance,$prvattrs")
+fi
+
+output=$(mktemp -d -t buildx-output.XXXXXXXXXX)

-# release
-(set -x ; ${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release)
+(
+  set -x
+  ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release
+)

-# wrap binaries
-mv -f ./${DESTDIR}/**/* ./${DESTDIR}/
-find ./${DESTDIR} -type d -empty -delete
+for pdir in "${output}"/*/; do
+  (
+    cd "$pdir"
+    binname=$(find . -name 'buildx-*')
+    filename=$(basename "${binname%.exe}")
+    mv "provenance.json" "${filename}.provenance.json"
+    mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
+    find . -name 'sbom*.json' -exec rm {} \;
+  )
+done

-source ./hack/hash-files
+mkdir -p "$DESTDIR"
+mv "$output"/**/* "$DESTDIR/"
+rm -rf "$output"